I’m trying to run caddy as www-data user
If I run caddy command as root, it will run fine.
/usr/local/bin/caddy -log=/var/log/caddy/caddy.log -conf=/etc/caddy/Caddyfile -root=/var/tmp
If I run save as www-data, I get error:
open access.log: permission denied
I get error also when I try to run caddy with systemd.
I can’t figure out from where is coming access.log and what is it’s path, to set correct rights.
Archlinux x86_64
Caddy 0.9.3
my CaddyFile:
my-domain {
redir www.my-domain{uri}
}
www.my-domain {
root /var/www/my-domain
#fastcgi / 127.0.0.1:9000 php
fastcgi / /run/php-fpm/php-fpm.sock php
status 403 /forbidden
log /var/log/caddy/my-domain.log {
size 50
age 90
keep 5
}
errors /var/log/caddy/my-domain.errors {
size 50
age 90
keep 5
}
# Begin - Security
# deny all direct access for these folders
rewrite {
if {path} match /(.git|cache|bin|logs|backups|tests)/.*$
to /forbidden
}
# deny running scripts inside core system folders
rewrite {
if {path} match /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
to /forbidden
}
# deny running scripts inside user folder
rewrite {
if {path} match /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
to /forbidden
}
# deny access to specific files in the root folder
rewrite {
if {path} match /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
to /forbidden
}
## End - Security
# global rewrite should come last.
rewrite {
to {path} {path}/ /index.php?_url={uri}
}
}
systemd service
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-failure
; User and group the process will run as.
User=www-data
Group=www-data
; Letsencrypt-issued certificates will be written to this directory.
Environment=HOME=/etc/ssl/caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log=/var/log/caddy/caddy.log -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -email=zajca@zajca.cz
ExecReload=/bin/kill -USR1 $MAINPID
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=64
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install]
WantedBy=multi-user.target